Firing up Firewalls

One of the first lines of defense against hackers is your firewall. The firewall acts as a filter, blocking unwanted packets from reaching your network. In most cases, a properly configured firewall will protect a network from viruses such as the Code Red worm, even if there are vulnerable machines residing inside the network.

One of the first things you need to do is pick a firewall that fits your needs. There are many different types and most serve the same purpose. Also, a firewall is only as secure as the host you place it on. This means that you should pick a secure operating system to use as your firewall. It's true a firewall greatly enhances the security of a system, but if the OS is insecure and in any way exposed, your firewall won't be able to protect it or your network. Thus, you will have a better chance of securing your network if the OS the firewall runs on is secure.

A firewall works at the packet level. It looks at each packet and, based on the rules you set up, decides whether to allow the packet into your network, send it back from whence it came, or completely ignore the fact that it ever existed. Before you can design or even choose a good firewall, you need to understand packets. Dru Lavigne has written an excellent series on TCP/IP packets explaining what they are and how they work. These articles should be required reading before diving into a firewall.

As you start to consider implmenting a firewall, you should take a broad look at your network and examine where a firewall fits into to your overall security plan. Mike DeGraw-Bertsch explains enough about basic network security to get you started. You will also want to begin reading the O'Reilly Network's Security Alerts column.

Most security professionals will agree that OpenBSD is by far the most paranoid operating system out there. And in the world of security, paranoia is usually considered a good thing. The developers of OpenBSD have tweaked all the default settings to achieve maximum security and are constantly doing a security audit of all components. OpenBSD would be an excellent choice for a firewall. Many people wouldn't trust their network to anything else.

FreeBSD is another good choice for a firewall. There are also several good Linux distributions that have security in mind, however, you need to be careful when choosing one of these distributions. Dru Lavigne has written an excellent series on using IPFW on FreeBSD.

To take it one step further, if you are running Unix as your workstation, you can set up a personal firewall right on your workstation. Mac OS X even comes with IPFW installed by default.

When you finish setting up your firewall, it's a good idea to test it. Network and port scanners can show you what your firewall looks like to hackers. They will let you know whether your firewall is on and expose any holes you might have left open.